Second data breach at OPM confirmed

Second data breach at OPM confirmedAfter a tumultuous few weeks for the Office of Personnel Management (OPM), a second data breach has been confirmed which is said to have affected up to 14 million stolen records.

White House officials believe that the attackers accessed a document called ‘Standard Form 86’, which is filled out by people applying for national security positions. These forms hold a wealth of sensitive information, including drug and alcohol use, mental illness, bankruptcy, arrests, as well as a list of contacts and relatives, which could potentially extend the scope of the breach to millions more Americans.

Now, not only has information been stolen from military and intelligence personnel in this second attack, but also the breach likely extends outside of the federal government.

The attacks were likely carried out by the same hackers – who have ties to China – who infiltrated the OPM’s server and stole 4.2 million federal employees’ data earlier this year.

For security reasons, the OPM is not discussing specifics of the second breach, but it is clear that the US Government is under increased pressure to fix the vulnerabilities within its systems before any more newsworthy breaches happen.

30-day Cybersecurity Sprint

Following these major breaches, the White House has tried to fight back by launching a 30-day programme to boost cybersecurity protocols across the government. The program asks agencies to take specific steps over the next month to better protect sensitive information and make it more difficult for hackers to gain access to federal systems.

Those steps include:

  • to fix any cybersecurity vulnerabilities immediately;
  • tighten policies and practices for privileged users who can access sensitive information;
  • implement multi-factor authentication procedures for accessing federal networks;
  • employ electronic “indicators” provided by the Department of Homeland Security that show when there has been a malicious cyberattack.

Source: Washington Times

This screams ‘all a little too late’, but at least the government is finally sitting up to take notice of the cyber threat and taking some sort of action.

If you’re concerned about vulnerabilities on your website and the risk of sensitive data being exposed, then we strongly recommend that you test your network and web applications regularly to identify vulnerabilities and fix them before hackers exploit them.

While it’s not always possible to do this yourself, there are penetration testing services available to do this for you.

Penetration testing involves simulating a malicious attack on an organization’s information security arrangements, often using a combination of methods and tools. It has to be conducted by a certified ethical professional tester (such as CREST-qualified staff), and the findings will provide you with information about security measures your organization can improve.

As a CREST member company, we’ve been verified by an independent body attesting that our work will be carried out to a high standard by qualified and knowledgeable individuals. Our Web Application Penetration Test combines a number of advanced manual tests with automated vulnerability scans to ensure every corner of your web applications are tested.

The Web Application Penetration Test includes:

  • Carefully scoping your testing environment
  • Performing a range of manual and automated tests
  • Providing a detailed report that explains the vulnerabilities found and recommending measures to address them
  • Delivering an executive summary that is perfect for your management team

For more information on our penetration testing services or to book your test, visit IT Governance’s website, call us toll free on 1 877 317 3454, or email